1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.MIS

  • pkg/ports, pkg audit, and libxml2

    From Winston@21:1/5 to All on Sat Jun 14 18:50:25 2025
    A while back, a security notice for libxml2 appeared.

    The links from 'pkg audit' to pages describing its issues
    gave the version number required to resolve the issues.

    My questions:

    1) Does having what appears to be a FreeBSD-style version number on
    those problem description pages in any way imply that the fixed
    version is available via 'ports', or is it usually just the
    upstream's version number converted to what will eventually be
    its FreeBSD version number?

    2) On average, is there usually much lag between an updated version
    becoming available via ports versus via pkg (latest)?

    In the case of libxml2 in particular, pkg audit flagged it what seems
    like 2-3 weeks ago as needing an upgrade to 2.14.2, yet pkg as of today
    still has only version 2.11.9. This seems like longer than usual for a
    fix to appear.

    Thanks,
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Christian Weisgerber@21:1/5 to Winston on Mon Jun 16 12:53:02 2025
    On 2025-06-14, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote:

    A while back, a security notice for libxml2 appeared.

    The links from 'pkg audit' to pages describing its issues
    gave the version number required to resolve the issues.

    They do? All I see is that such-and-such version is affected.
    The underlying database is generated from security/vuxml.

    1) Does having what appears to be a FreeBSD-style version number on
    those problem description pages in any way imply that the fixed
    version is available via 'ports', or is it usually just the
    upstream's version number converted to what will eventually be
    its FreeBSD version number?

    The vuxml entry has a <range> element, which typically just contains
    a <lt> (less than), indicating that any version LESS THAN the given
    FreeBSD package version is affected. Sometimes people create the
    vuxml entry when they upgrade the port to a version with a fix,
    sometimes they create the vuxml entry before a fix is available.

    In the case of libxml2 in particular, pkg audit flagged it what seems
    like 2-3 weeks ago as needing an upgrade to 2.14.2, yet pkg as of today
    still has only version 2.11.9. This seems like longer than usual for a
    fix to appear.

    Yes, that is unusually long and... *checks repository*... the port
    still hasn't been updated.

    I _suspect_ the problem is that the port is still at 2.11.x, libxml
    head is at 2.14.x, and there are breaking changes inbetween that
    need to be dealt with. (OpenBSD went from 2.13.x to 2.14.x in April
    and had to deal with some breakage.)

    --
    Christian "naddy" Weisgerber naddy@mips.inka.de

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John D Groenveld@21:1/5 to naddy@mips.inka.de on Mon Jun 16 16:55:54 2025
    In article <slrn10504te.1p7b.naddy@lorvorc.mips.inka.de>,
    Christian Weisgerber <naddy@mips.inka.de> wrote:
    Yes, that is unusually long and... *checks repository*... the port
    still hasn't been updated.

    main is till 2.11.9: <URL:https://cgit.freebsd.org/ports/plain/textproc/libxml2/Makefile>

    I _suspect_ the problem is that the port is still at 2.11.x, libxml
    head is at 2.14.x, and there are breaking changes inbetween that
    need to be dealt with.

    Unfortunately.
    <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279705>

    (OpenBSD went from 2.13.x to 2.14.x in April
    and had to deal with some breakage.)

    Looks like there's Porters activity fixing breakage and deprecating
    ports that are dependent on the legacy API but no longerm maintained
    by upstream: <URL:https://bugs.freebsd.org/bugzilla/buglist.cgi?bug_status=Open&bug_status=UNCONFIRMED&bug_status=New&bug_status=In%20Progress&field0-0-0=product&field0-0-1=component&field0-0-2=alias&field0-0-3=short_desc&field0-0-4=status_whiteboard&no_redirect=1&
    order=changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&query_format=advanced&type0-0-0=substring&type0-0-1=substring&type0-0-2=substring&type0-0-3=substring&type0-0-4=substring&value0-0-0=libxml2&value0-0-1=libxml2&value0-0-2=libxml2&
    value0-0-3=libxml2&value0-0-4=libxml2>

    John
    groenveld@acm.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Winston@21:1/5 to Christian Weisgerber on Mon Jun 16 19:47:31 2025
    Christian Weisgerber <naddy@mips.inka.de> wrote regarding libxml2:
    Yes, that is unusually long and... *checks repository*... the port
    still hasn't been updated.
    ...
    (OpenBSD went from 2.13.x to 2.14.x in April
    and had to deal with some breakage.)

    to which groenveld@acm.org (John D Groenveld) replied:
    Looks like there's Porters activity fixing breakage and deprecating
    ports that are dependent on the legacy API but no longerm maintained
    by upstream: <URL:https://bugs.freebsd.org/bugzilla/buglist.cgi?bug_status=Open&bug_status=UNCONFIRMED&bug_status=New&bug_status=In%20Progress&field0-0-0=product&field0-0-1=component&field0-0-2=alias&field0-0-3=short_desc&field0-0-4=status_whiteboard&no_redirect=1&
    order=changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&query_format=advanced&type0-0-0=substring&type0-0-1=substring&type0-0-2=substring&type0-0-3=substring&type0-0-4=substring&value0-0-0=libxml2&value0-0-1=libxml2&value0-0-2=libxml2&
    value0-0-3=libxml2&value0-0-4=libxml2>

    14 matching bugs found. Oh, joy: they didn't just fix the bugs,
    they broke stuff, too. :-/

    Well, that explains why 2.14.2 hasn't appeared in the pkg repository
    yet. Thanks!
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Winston@21:1/5 to I previously on Mon Jun 16 20:38:20 2025
    I previously wrote:
    The links from 'pkg audit' to pages describing its issues
    gave the version number required to resolve the issues.

    to which Christian Weisgerber <naddy@mips.inka.de> replied:
    They do? All I see is that such-and-such version is affected.

    but then added:

    The vuxml entry has a <range> element, which typically just contains
    a <lt> (less than), indicating that any version LESS THAN the given
    FreeBSD package version is affected.

    Yes, which I see as equivalent to "giving the version number required to resolve the issues", since, as you say, it's '<', not '<='.

    Sometimes people create the vuxml entry when they upgrade the port to
    a version with a fix, sometimes they create the vuxml entry before a
    fix is available.

    [Leaving out a lot, rather than quoting it all ...]

    OK, I think you've answered my original question: the vulnerability
    description having a version number for the fix does NOT mean that said
    fix is actually available yet -- it could be just the version number
    that eventually will be used once the fix does become available.

    Thanks,
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Winston@21:1/5 to All on Fri Jun 27 01:18:02 2025
    Just a quick note:

    It appears FreeBSD solved the problems by releasing
    libxml2 2.11.9_1, rather than going to 2.14.* as the
    vulnerability description pages originally indicated
    would be needed.
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)